Starlette Denial-of-Service Vulnerability in Multipart Form Parsing

A denial-of-service vulnerability has been identified in Starlette, an ASGI framework for building asynchronous web services in Python. This issue affects versions prior to 0.47.1. When the framework parses multi-part forms containing large files that exceed the default maximum spool size, Starlette blocks the main thread to write the file to disk. This behavior disrupts the event thread, preventing the application from handling new connections. The vulnerability arises because the UploadFile component does not properly check if a write operation will cause a file to exceed its memory limit, leading to a rollover that is processed on the main thread.

Impact

Exploiting this vulnerability can cause the application to block the main thread, disrupting the event loop and preventing the acceptance of new connections. This behavior can degrade the application's performance, especially under high concurrency with large file uploads, effectively creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by uploading large files, exceeding the default maximum spool size, through a multi-part form. This can be done by sending concurrent requests with files that trigger the rollover to disk, causing the main thread to block and delay the processing of new connections.

Remediation

Users can upgrade to Starlette version 0.47.2, which addresses the vulnerability by improving the file handling logic to prevent unnecessary blocking of the main thread.